nanog mailing list archives

Re: Trojan Alert was: Check this

From: Kevin Houle <kjh () cert org>
Date: Thu, 09 Mar 2000 21:14:58 +0000


-----BEGIN PGP SIGNED MESSAGE-----

Kai Schlichting wrote:


On another operational note: I am seeing a vastly swelling number
of customers falling victim to the NETWORK.VBS worm: a simple VB script
that first scans surrounding network space for open, writable windows
shares (and replicates by copying itself into a shared C:\ drive, if
such drive is shared), then goes on to randomly scan /24's , where the
3 first octets of the IP number are random: this is generating
boatloads of violations in my "no RFC1918 in or out" filters (and
this is how this came to my attention).


We've been getting reports of network.vbs since about 2/24. There 
is a CERT Incident Note discussing network.vbs and the general 
need to secure unprotected Windows networking shares.

  http://www.cert.org/incident_notes/IN-2000-02.html

You are welcome to use it as a reference with customers.

Kevin

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOMgULVFO4fmE3w/VAQFw8gQAhIloQWbHy0mkrck6w54tUTnHxjkPDCFH
P0B27FbF/ok/yfPnLeUymVP/Vt3ptoSVs38bl/mP1BX83osix9JweFpapZZV+sVn
Uu6BFfIDCv/o3h3NuQiprWmaJjtCzi1kNfqHM6hLxrbTNqo4Evzd+t5MY8+fncwX
OthSzyq5geA=
=Eqay
-----END PGP SIGNATURE-----

Current thread:

Trojan Alert was: Check this Kai Schlichting (Mar 09)
- Re: Trojan Alert was: Check this I did geektools owns Henry R. Linneweh (Mar 09)
- Re: Trojan Alert was: Check this Kevin Houle (Mar 09)
- Message not available
  - Re: Trojan Alert was: Check this Kai Schlichting (Mar 09)
- OT: VBS.FREELINK and Anti-Virus Defaults was: Check This David Kennedy CISSP (Mar 09)
- Re: Trojan Alert was: Check this Chris Brenton (Mar 09)
- <Possible follow-ups>
- Re: Trojan Alert was: Check this Steven M. Bellovin (Mar 09)
- Re: Trojan Alert was: Check this Hermann Wecke (Mar 09)